Summary
The current sandbox is Python-specific: AST guardrails use Python's ast module, the runtime preamble is Python code, and the executor runs python3 -I. However, the kernel-level defense layers (Landlock, seccomp, container hardening, NetworkPolicy) are entirely language-agnostic.
A plugin architecture would let developers choose their language module while sharing the kernel enforcement layers across all of them.
Proposed Design
Each language plugin implements a common interface:
sandbox/
languages/
python/
guardrails.py # AST validation (existing code)
executor.py # subprocess runner (existing code)
profiles/
minimal.yaml
data-science.yaml
bash/
guardrails.py # shellcheck-style static analysis
executor.py # bash -r (restricted mode)
rust/
guardrails.py # cargo build validation
executor.py # compile in tmpdir + run binary
Interface contract:
validate(source, profile) -> list[str] — static analysis, returns violationsexecute(source, timeout, ...) -> ExecutionResult — run in subprocess
Profile YAML gains a language field:
name: bash-minimal
language: bash
description: Restricted bash execution
Shared kernel layers wrap all languages identically:
- Two-layer Landlock (parent broad, subprocess tight)
- Seccomp syscall filtering
- Container hardening (read-only rootfs, dropped caps)
- NetworkPolicy zero egress
Candidate Languages
| Language |
Static Analysis |
Executor |
Notes |
| Bash |
shellcheck + command allowlist |
bash -r (restricted mode) |
Restrict builtins, PATH |
| C/C++ |
Compiler warnings + symbol check |
compile in tmpdir, run binary |
Resource limits via cgroups |
| Rust |
cargo build in tmpdir |
Run compiled binary |
Memory-safe by default |
| Go |
go build in tmpdir |
Run compiled binary |
Goroutine limits |
| Java |
Classpath restriction |
JVM with SecurityManager replacement |
Module system for isolation |
| JavaScript |
ESLint-based validation |
Deno with --deny-* flags |
Deno has built-in permissions |
Related
- Paper outline:
research/paper-defense-in-depth.md section 6.1
Summary
The current sandbox is Python-specific: AST guardrails use Python's
astmodule, the runtime preamble is Python code, and the executor runspython3 -I. However, the kernel-level defense layers (Landlock, seccomp, container hardening, NetworkPolicy) are entirely language-agnostic.A plugin architecture would let developers choose their language module while sharing the kernel enforcement layers across all of them.
Proposed Design
Each language plugin implements a common interface:
Interface contract:
validate(source, profile) -> list[str]— static analysis, returns violationsexecute(source, timeout, ...) -> ExecutionResult— run in subprocessProfile YAML gains a
languagefield:Shared kernel layers wrap all languages identically:
Candidate Languages
Related
research/paper-defense-in-depth.mdsection 6.1